Oh no.

  • Eager Eagle@lemmy.world
    link
    fedilink
    English
    arrow-up
    291
    arrow-down
    2
    ·
    2 years ago

    Downfall, Inception, Meltdown, Spectre, I hate to see new vulnerabilities, but their naming choices are solid.

  • cybervseas@lemmy.world
    link
    fedilink
    English
    arrow-up
    206
    arrow-down
    2
    ·
    2 years ago

    Intel claims most consumer software shouldn’t see much impact, outside of image and video editing workloads…

    But that’s, like the one place other than games where consumers are looking for performance. What’s left, web browsing and MS Office?

    • FaceDeer@kbin.social
      link
      fedilink
      arrow-up
      68
      arrow-down
      13
      ·
      2 years ago

      I just skimmed through the article and it seems like this vulnerability is only really meaningful on multi-user systems. It allows one user to access memory dedicated to other users, letting them read stuff they shouldn’t. I would expect that most consumer gaming computers are single-user machines, or only have user accounts for trusted family members and whatnot, so if this mitigation causes too much of a performance hit I expect it won’t be a big risk to turn it off for those particular computers.

      • The Octonaut@mander.xyz
        link
        fedilink
        English
        arrow-up
        84
        arrow-down
        1
        ·
        2 years ago

        Would it mean that a malicious application being run in non-admin mode by one user could see data/memory in use by an admin user?

        • OverambitiousNewbie@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          82
          ·
          2 years ago

          It would indeed imply that which is why this vulnerability is also serious for single user contexts.

          The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible.

      • Espi@kbin.social
        link
        fedilink
        arrow-up
        45
        arrow-down
        2
        ·
        2 years ago

        All these kind of CPU level vulnerabilities are the same, they are only really “risky” if there is malicious software running in the computer in the first place.

        The real problem is that these CPU-level vulnerabilities all break one of the core concepts of computers, which is process separation and virtual memory. If process separation is broken then all other levels of security become pointless.

        While for desktops this isn’t a huge problem (except when sometimes vulnerabilities might even be able to be exploited though browsers), this is a huge problem for servers, where the modern cloud usually has multiple users in virtual machines in a single server and a malicious user could steal information across virtual machines.

        • towerful@reddthat.com
          link
          fedilink
          English
          arrow-up
          31
          ·
          edit-2
          2 years ago

          Your first paragraph isn’t quite right.
          Modern hacks/cracks aren’t a “do this and suddenly you are in” type deal.
          It’s a cascade chain of failures of non-malicious software.
          Saying “don’t have a virus” is absolutely correct, however that’s not the concern here.
          The concern is about the broadening of the attack surface.

          A hacker gets minor access to a system. Leverages some CVE to get a bit more access, and keeps poking around and trying CVEs (known or unknown) until they get enough access to run this CVE.
          And then they can escape the VM onto the host or other VMs on the same system, which might then give them access to a VM on another host, and they can escape that VM to get access to another VM, and on and on.

          Very quickly, there is a fleet of VMs that are compromised. And the only sign of someone poking around is on the first VM the hacker broke into.
          All other VMs would be accessed using trusted credentials.

          ETA:
          Infact, it doesn’t even need to be a hacker.
          It could be someone uploading a CI/CD task using their own account. It extracts all API keys, usernames and passwords it can find.
          Suddenly, you have access to a whole bunch of repositories and APIs.
          Then you can sneak in some malicious code to the git repo, and suddenly your malicious code is being shipped within legit software that gets properly signed and everything.

      • gressen@lemm.ee
        link
        fedilink
        English
        arrow-up
        33
        ·
        2 years ago

        It allows memory access across virtual machines as well, meaning the all cloud VMs are vulnerable.

        • FaceDeer@kbin.social
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          2 years ago

          The machines that are running cloud VMs should obviously be patched. I wasn’t talking about those.

      • deejay4am@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        2 years ago

        Processes that run on the same system can run as different users (including kernel) which is used for privilege separation. This can still allow a program in userland to peer into otherwise restricted system processes or the kernel. Every system is a “multi-user” system, even if there is only a single human user.

        • FaceDeer@kbin.social
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          2 years ago

          Yes, but all the data that I care about is in my single human user’s account already. If I install malicious software then I’m already hooped regardless.

          Look, I’m not saying this is no biggie. There are plenty of systems out there that will have to install this patch. Single-user computers probably should too. The situation I’m addressing is the case where a gaming computer has its performance as a gaming measurably harmed by the patch’s overhead, which is reportedly significant in some cases. In those cases it’s reasonable to weigh the merits and decide that this vulnerability isn’t all that big a problem.

      • fmstrat@lemmy.nowsci.com
        link
        fedilink
        English
        arrow-up
        12
        ·
        2 years ago

        Disagree. For non-security conscious users who install that helper tool or plugin for their game, it can now read bank credentials from the browser.

        • FaceDeer@kbin.social
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          2 years ago

          If you’re a non-security-conscious user installing malicious software on your computer then I don’t think there’s much that could help you.

          • fmstrat@lemmy.nowsci.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 years ago

            But these are the people we (the security community) should be helping. If we don’t help those who don’t have the skills to help themselves, scammers have a large target and keep on scamming. We are not a target.

            Granted, this post isn’t necessarily about that, but they’ll be the one’s targeted regardless. Sometimes the best way to reduce the attack vector is about people, not software.

      • Arghblarg@lemmy.ca
        link
        fedilink
        English
        arrow-up
        19
        arrow-down
        27
        ·
        edit-2
        2 years ago

        this vulnerability is only really meaningful on multi-user systems

        Well, that says it all. CPU manufacturers have no incentive at all to secure the computations of multiple users on a single CPU (or cores on the same die)… why would they? They make more cash if everyone has to buy their own complete unit, and they can outsource security issues to ‘the network’ or ‘the cloud’…

        Years ago when I was in University this would have been a deathblow to the entire product line, as multi-user systems were the norm. Students logged into the same machines to do their assignments, employees logged into the same company servers for daily tasks.

        I guess that isn’t such a thing any more. But wow, what a sh*tshow modern CPU architecture has become, if concern for performance has completely overridden proper process isolation and security. We can’t even trust that a few different users on the same machine can be separated properly due to the design of the CPU itself?

        • El Barto@lemmy.world
          link
          fedilink
          English
          arrow-up
          28
          arrow-down
          1
          ·
          2 years ago

          I’m not happy with what’s happening and I know that corporations are money making evil machines.

          But to say that chip makers have no incentive at all to secure their hardware is quite the hyperbole.

          • Arghblarg@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            2 years ago

            Fair enough, probably was hyperbole :) But performance does seem to be a higher priority than security; they can always spin PR after the next exploit, after all, users already have the CPU in their system, they’ve made their money; what are users really gonna do if an issue comes up after they’ve bought their box?

        • Eggymatrix@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          19
          ·
          2 years ago

          Are you aware that the majority of cpus sold today go to cloud computing? Believe it or not, but that is an application space with multiple users on the same machine.

          • AnUnusualRelic@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 years ago

            Even on a single user machine, multiple users are very much a thing. Even Apple has left behind the DOS-like architecture where everything runs with the same rights. All current systems run with multiple concurrent users, notably root (or the Windows equivalent) and the keyboard operator (as well as dedicated ones for the various services, although that’s maybe more a thing in Unix/Linux than Windows).

          • Arghblarg@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            5
            ·
            2 years ago

            Good point. But I think performance is still a greater priority for those who make purchasing decisions, rather than basic security, and that’s the problem.

            • towerful@programming.dev
              link
              fedilink
              English
              arrow-up
              6
              ·
              2 years ago

              Not at the enterprise level.
              Security means compliance, which means getting/keeping contracts and not getting sued.
              And they care more about performance-per-watt and density.

        • philluminati@lemmy.ml
          link
          fedilink
          English
          arrow-up
          12
          arrow-down
          1
          ·
          edit-2
          2 years ago

          Processor manufacturers target their devices and sales towards cloud computing so they have a huge incentive to avoid having issues like these. It’s ridiculous to suggest otherwise.

        • FaceDeer@kbin.social
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          2 years ago

          You’re reading an awful lot into what I said that wasn’t put in there.

          There’s nothing wrong with multi-user systems existing, there’s plenty of use for such things. This bug is really bad for those sorts of things. I was explicitly and specifically talking about consumer gaming computers, which are generally single-user machines. Concern for performance is a very real and normal thing on a gaming computer, it’s not some kind of weird plot. An actual multi-user system would obviously need to be patched.

        • Square Singer@feddit.de
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          12
          ·
          2 years ago

          I am so incredibly happy that those terrible multi-user systems are a thing of the past. Multiple seconds wait time for every mouse click are no fun.

          • AnUnusualRelic@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 years ago

            Hey! I’ll have you know that a 68000 based server was good enough for about 60 users running X11 desktops back in the day!

            Kids today with their vodoo cards and whatnot.

            • Square Singer@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 years ago

              When I was in university, they were probably running the same server, but with Ubuntu and for 500 sessions at the same time. That crap was totally unusable.

    • philluminati@lemmy.ml
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      2 years ago

      It’s not they aren’t impacted only you “don’t see the impact” as noticeably.

  • hark@lemmy.world
    link
    fedilink
    English
    arrow-up
    180
    arrow-down
    11
    ·
    2 years ago

    Install backdoors and sell that info to governments and companies, then years later reveal the issue to justify downgrading performance of older CPUs to encourage people to upgrade.

  • TimeMuncher2@kbin.social
    link
    fedilink
    arrow-up
    99
    ·
    2 years ago

    According to him, billions of Intel processors are affected, which are used in private user computers as well as in cloud servers.
    Update: Intel’s Downfall was closely followed by AMD’s Inception, a newfound security hole affecting all Ryzen and Epyc processors.

    so both desktop and server chips are affected on both cpu manufacturers products. can’t take any measures if your password is online on some server.

    • TWeaK@lemm.ee
      link
      fedilink
      English
      arrow-up
      35
      arrow-down
      4
      ·
      2 years ago

      I was going to say, AMD had a flaw of similar severity. And they won’t have a fix for a few months for most affected CPUs, and that fix will likely incur a loss in performance.

      Basically it sounds like both of these flaws are due to the security chip. I can’t help but feel like these flaws are by design. /tinfoil

    • June@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 years ago

      From what I’m reading, Inception is a pretty minor vulnerability, especially compared to downfall.

  • AvgJoe@lemmy.world
    link
    fedilink
    English
    arrow-up
    73
    arrow-down
    1
    ·
    edit-2
    2 years ago

    It took them a year for a microcode fix and it still has a performance loss of 50% in some cases? Ew

    • Gsus4@feddit.nl
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 years ago

      Good supplier for an offline supercluster 😄 I’ll let my grant manager know.

  • dual_sport_dork 🐧🗡️@lemmy.world
    link
    fedilink
    English
    arrow-up
    67
    arrow-down
    2
    ·
    edit-2
    2 years ago

    Ha-ha. My chip’s too old to be affected. I don’t see my architecture on the list.

    I knew putting off upgrading for around a decade would pay off. (Windows Update tells me my PC is not “ready” for Windows 11 due to its hardware, either. Oh no, whatever shall I do.)

    • atticus88th@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      ·
      2 years ago

      Dont the older chips suffer from a greater performance drop from spectre and meltdown vulnerabilities?

    • ArcaneSlime@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      2 years ago

      This inspires confidence with my 2010 ass toshiba sattelite with an i5 and 8gb DDR3. I need to look and see if mine is too old lol.

    • linearchaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      7
      ·
      2 years ago

      Recall billions of processors?

      I hate Intel as much as the next person, but I don’t want them to disappear overnight generating a unimaginably large processor shortage.

      • Skates@feddit.nl
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        2
        ·
        edit-2
        2 years ago

        Then subsidize them for the recall, and take a percentage of their profits every year until it’s paid back. How is it OK to pass on a manufacturer defect to all consumers?

        • linearchaos@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          3
          ·
          edit-2
          2 years ago

          I’m not saying that it’s not a shit sandwich. I am saying that if Intel shut down right now we’d be pretty fucked. It would be far more likely for them to shut down production and walk away, start selling off patents and equipment. The strain it would put on arm to pick up the gauntlet would probably mean you’re not going to see a new cell phone, television or new car for the next few years.

          What the hell are they going to do for a recall anyway? Are you going to have them go back 5 years and try to recreate every model of CPU between then and now? None of those motherboards are going to support new things.

          You get your five or $600 back on your CPU which ends up being $50 by the time it comes out of arbitration, now you need not only a new CPU but a new motherboard.

          It’s like wrecking your 15-year-old beater car, insurance company gives you $150 and says go find yourself a new car.

          edit: Look, Intel is worth 150 billion. if they paid $50 per processor for a couple billion refunds, they’d just go bankrupt. They’re going to run for years subsidized making 0 profit and losing all their talent. It wasn’t their intent to screw it up, but here we are. There’s a patch that makes slow processors slower honestly, that’s the end of their responsibility other than to help people get it installed.